The Office of Inspector General (OIG) has broad authority to exclude a healthcare organization from participating in federal healthcare programs (e.g. Medicare, Medicaid). Although exclusions commonly arise from violations of the False Claims Act and Anti-Kickback Statute, there are many other violations that could lead to a permissive exclusion. For instance, the OIG can request immediate access to inspect and copy certain records, and can exclude a healthcare entity for failure to produce the demanded records.
The OIG can demand immediate access to records and data in any medium to ensure compliance with federal healthcare program requirements. You may have to produce records within twenty-four hours from receipt of the OIG request, or sooner if the OIG believes the records are at risk of being altered or destroyed. If you can’t produce the requested records, the OIG can immediately exclude you from participating in federal healthcare programs for at least ninety days.
If you cannot produce the records within the time allotted, you can provide a compelling reason for the delay. However, the OIG decides whether a reason for the delay is truly compelling. The regulations are not clear on what a “compelling reason” is, and responses to comments during the rulemaking process provide only limited context. Fortunately, it appears the OIG does not exclude entities that inadvertently fail to provide access to requested records (e.g. because of a clerical error). However, the OIG is also the sole authority that decides whether a failure to produce records is truly inadvertent.
Because the OIG can request immediate access to records, it’s important to be proactive and maintain a current inventory of the types of records relevant to participation in federal healthcare programs. One way you can prepare to respond to a demand for records on short notice is to create a data map that identifies how records are used, stored, and accessed. You can use the data map to identify relevant records, and determine how you would access and produce those records on short notice. This should help you identify and evaluate any pain points that might arise if you do receive a demand from the OIG.
If you do not already have a data map, consider the following tips as you gauge the accessibility of records:
- Format & Location – Determine the type of media used to store relevant records and identify where records are maintained. For example, clinic billing records may be maintained by each clinic, whereas hospital billing records could be maintained by shared services in the corporate operations center.
- Archives – Ensure archived records are easy to retrieve. If records are stored offsite, determine whether storage boxes sufficiently describe the content of the records. Further, determine whether you can locate, copy, and deliver relevant records to the appropriate facility within twenty-four hours. With respect to electronic or digital records, appoint specific users with access and expertise to quickly find and retrieve archived records.
- Business Associates – Determine whether any records are primarily maintained or stored by business associates (e.g. a remote coding vendor). If so, maintain a list of primary contacts for all business associates, and ensure the Business Associate can produce the records within twenty-four hours. Ideally, this should be a condition of the Business Associate Agreement.
- Unnecessary Records – Determine whether there are redundant, obsolete, and/or trivial records that could delay the production of relevant records. For example, if multiple versions of the relevant records exist, you may need to produce all versions of the same record, rather than the most recently updated version. Destroy unnecessary records in accordance with applicable laws and the organization’s retention schedule to help eliminate unnecessary records.
- User Access – Determine whether any records are only accessible by certain individuals in the organization. If so, create an action plan to contact these individuals on short notice and grant access to backup personnel in case the primary contact is unavailable.
If possible, source and implement one technology solution to track all physical and electronic records across multiple locations. Also consider hiring experts to help create custom retention and destruction procedures customized to how your organization creates and uses records. If a technology solution is not an option for your organization, use the guidelines above. Be sure to take extra care to establish a records management plan that enables you to meet the requirements of federally funded programs. At the very least, map the location and accessibility of records to craft a strategy to respond to a demand to produce records.
 42 CFR § 1001.1301(a)(1)(iii). The OIG may exclude any individual or organization that fails to grant immediate access upon reasonable request to . . . the OIG for reviewing records, documents, and other material or data in any medium (including electronically stores information and any tangible thing) necessary to the OIG’s statutory functions
 42 CFR § 1001.1301(a)(3). See definition of Failure to grant immediate access.
 82 FR 4107 accessed at https://www.federalregister.gov/d/2016-31390/page-4107
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.